Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

This site requires JavaScript to be enabled to function correctly, please enable it.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
New packages available from www.fedoralegacy.org/contrib/perl:
sha1sums:
28852d9a69ca496003539cb7bc0b8dfefd4e976e
perl-5.6.1-38.0.7.3.legacy.i386.rpm
a273e8ee1cb2002a50e902b80b99717dbb8dead4
perl-5.6.1-38.0.7.3.legacy.src.rpm
96ec8de6c683eaefd0438a690a34e6b3c9ddc632
perl-CGI-2.752-38.0.7.3.legacy.i386.rpm
6aa4a91e5a5db3c4abeab159180fe322545774d4
perl-CPAN-1.59_54-38.0.7.3.legacy.i386.rpm
745db16e8eed1628119486f2c23728102b54ff91
perl-DB_File-1.75-38.0.7.3.legacy.i386.rpm
f27b852928b216b744501a98d9b66725e16a4e31
perl-NDBM_File-1.75-38.0.7.3.legacy.i386.rpm
730278d78467815c7c7a668b66744c31f7898b3c
perl-suidperl-5.6.1-38.0.7.3.legacy.i386.rpm
f2d8a62e9e706b9f5a9cd05e01aedb70a81baf77
perl-5.8.0-90.0.9.legacy.i386.rpm
091966a58e7ec33f338dc1cedc361f5329850784
perl-5.8.0-90.0.9.legacy.src.rpm
97527dc626a0697d371c96dc43bdb536659bfb7c
perl-CGI-2.81-90.0.9.legacy.i386.rpm
40e4711a83c9a9197625dc14fd7febff3f56bb19
perl-CPAN-1.61-90.0.9.legacy.i386.rpm
6f428af51926e0db73be0d32442831d09aeab6eb
perl-DB_File-1.804-90.0.9.legacy.i386.rpm
36bd2d612945974fd807e9a208740bb12fd8d335
perl-suidperl-5.8.0-90.0.9.legacy.i386.rpm
55fc6e964b174f99b55a939318def0eb2825c600
perl-5.8.3-18.1.legacy.i386.rpm
c0c9e8b56e5a7ad86bd989072b88fa063d00be1d perl-5.8.3-18.1.legacy.src.rpm
026db63cf7f996c2d3ed456c4dd3058ab7d29330
perl-suidperl-5.8.3-18.1.legacy.i386.rpm
I had to modify the Gentoo patch to remove the "unless $!{ENOENT}" clause
because that was causing build failures. The original Gentoo patch works
fine as long as your installed Perl was built on the exact Linux kernel
version you're running. Otherwise Errno.pm errors out.
The RHL 7.3 and 9 packages are not guaranteed to build properly in Mach
because the build script assumes that "rpm -ql" works. I haven't heard
any suggestions about how to work around this. Should I assume that the
files in question are set in stone now and just build the lists by hand?
I installed the RHL 7.3 packages on a test box and rebooted. I haven't
noticed any problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFC3QbbJL4A+ldA7asRAhw5AJ9T2LVywo2bGvUbq56x3Q7Je7jUDACguM45
JyorZMWaUnuioHHPksUozx4=
=rlNq
-----END PGP SIGNATURE-----
P. S. Which patches are needed for FC2?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AFAICS, FC2's perl-5.8.3-18 doesn't include any of these fixes,
so everything should be included there as well.
Analysis of the patches:
perl-5.6.1-CAN-2005-0448-rmtree.patch: ASCII English text -> OK, gentoo
==> matches
http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/CAN-2005-0448-rmtree.pat
ch
perl-5.6.1-CAN-2005-0077-perl-DBI-tmpfile.patch: ASCII English text
==> matches RHEL3's perl-DBI's tmpfix patch.
perl-5.6.1-cgi.pm.patch
==> matches RHEL3's perl-5.8.0-CGI-encoded-path.patch
perl-5.6.1-CAN-2005-0155-0156-perlio.patch
==> matches RHEL3's perl-5.8.0-bug33990.patch
perl-5.8.0-tempfile-5.8.3-backport.patch
==> is pretty close but not quite equal to
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136325 and the gentoo
bug.
Notes:
- What is the source for the perl-5.6.1-tempfile-5.8.3-backport.patch ?
- FC1 includes only solar's tmpfile patch!?!
- FC2 has apparently been done against a previous version, not 5.8.3-18,
as FC changes adding perl-5.8.3-empty-rpath.patch and
perl-5.8.3-findbin-selinux.patch were lost.
- There have been substantial amount of changes in the spec file for
FC1 and FC2.
- RHL73 has the perlio and cgi.pm patches commented out (???).
- In all the versions, perl-DBI patch has been commented out (??)
- in at least RHL73 and RHL9, there have been changes in PKGS line
in the spec file, removing at least libgr-devel.
Is there a reason for these changes?
- could you tell a bit about the methodology used to construct the tempfile
backport
for 5.6.1?
- Note that 5.8.3 does not completely solve the tempfile issues, at least this
is what
the remainder patch in gentoo leads to believe:
http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-5.8.5-tempfiles.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFC3pBdGHbTkzxSL7QRApziAJ9cAboAWNU7Os0ARZmheD+W3MYbjACgmxMY
YB0XhAYouRD0/d3+0tdcUmA=
=Sf4I
-----END PGP SIGNATURE-----

Notes:
- What is the source for the perl-5.6.1-tempfile-5.8.3-backport.patch ?
------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05
15:30:25 ----
Hey John, the patch you backported in comment #1...there seems to be a bunch of
stuff missing from it if I compare it to the one in Red Hat's bugzilla.
For example:
--- perl-5.8.3.orig/ext/DB_File/DB_File.pm Mon Jan 19 18:46:25 2004
+++ perl-5.8.3/ext/DB_File/DB_File.pm Mon Jan 19 20:14:11 2004
@@ -1821,7 +1821,7 @@
use DB_File ;
my %hash ;
- my $filename = "/tmp/filt" ;
+ my $filename = "/var/run/filt" ;
unlink $filename ;
my $db = tie %hash, 'DB_File', $filename, O_CREAT|O_RDWR, 0666, $DB_HASH
@@ -1863,7 +1863,7 @@
use strict ;
use DB_File ;
my %hash ;
- my $filename = "/tmp/filt" ;
+ my $filename = "/var/run/filt" ;
unlink $filename ;
What was your source? Am I missing something?
------- Additional Comments From jpdalbec@ysu.edu 2005-03-07 03:24:51 ----
I had to strip out those hunks because they were already included in the
existing perl-5.6.1-solartmp.patch.
- FC1 includes only solar's tmpfile patch!?!
Did you download the correct RPM?
- FC2 has apparently been done against a previous version, not 5.8.3-18,
as FC changes adding perl-5.8.3-empty-rpath.patch and
perl-5.8.3-findbin-selinux.patch were lost.
I haven't built an FC2 RPM yet so I don't know what you mean here.
- There have been substantial amount of changes in the spec file for
FC1 and FC2.
Compared to RHL73 and RHL9, you mean?
- RHL73 has the perlio and cgi.pm patches commented out (???).
I couldn't find anything resembling the affected code in perlio.c; the affected
code in CGI.pm was already commented out, prefaced by "# If anybody knows why I
ever wrote this please tell me!"
- In all the versions, perl-DBI patch has been commented out (??)
I couldn't find DBI in the source tree. It appears to come from a different
source RPM (perl-DBI). Should that be a separate bug?
- in at least RHL73 and RHL9, there have been changes in PKGS line
in the spec file, removing at least libgr-devel.
Is there a reason for these changes?
There is no libgr-devel package in RHL73 or RHL9. I think I removed a couple
other packages that don't exist as well.
- could you tell a bit about the methodology used to construct the tempfile
backport
for 5.6.1?
1. Add original patch to .spec file.
2. rpm -bp
3. See what hunks fail to apply.
4. If a hunk is already applied, remove it from the patch.
5. If nothing in the code looks like the hunk applies to it, remove the hunk
from the patch.
6. Fix the remaining hunks.
- Note that 5.8.3 does not completely solve the tempfile issues, at least this
is what
the remainder patch in gentoo leads to believe:
http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-5.8.5-tempfiles.patch
I'll take a look at it.

On further review of the .spec file, PKGS doesn't matter because the filter
selects only files in /usr/include/include/, which doesn't exist! Should I fix
that? It doesn't seem to have bothered anyone so far, and it's not a security
issue. The (RHL 7.3) package still builds OK if I make the change. Of course I
still need to deal with the Mach issue unless we're not using Mach for our build
system any more.

Sorry, I thought 'perl-5.8.3-18.1.legacy.src.rpm' was for FC2, and .17.1.legacy
for FC1, but I was wrong. In any case, I think perl-5.8.3-18.1.legacy.src.rpm
needs to be renamed to be numerically smaller than FC2's package
(perl-5.8.3-18.src.rpm), e.g., perl-5.8.3-17.2.legacy.src.rpm?
With regard to the spec file changes, FC1 packages have a lot of whitespace
changes which don't seem to be necessary?
Perlio indeed doesn't seem to be needed for RHL73. Also agree on cgi.pm.
Perl-DBI seems to require its own patches, yes.
I'd prefer not to modify PKGS line from what has been shipped by Red Hat unless
it's required for the packages to build.
I guess I'd have to review the solartmp patch(es); the other patches look good
as is.

Created attachment 118908[details]
A test of CGI.pm my FC1 build of perl-5.8.3 fails (perl scripts and output) - related to perl-5.8.3-cgi.pm.patch
Source QA for the Fedora Core 1 .src.rpm.
c0c9e8b56e5a7ad86bd989072b88fa063d00be1d perl-5.8.3-18.1.legacy.src.rpm
downloaded from www.fedoralegacy.org/contrib/perl,
Sources:
* source rpm perl-5.8.3.tar.gz appears pristine
* All previous patches from FC1's perl-5.8.3-16.src.rpm are the same.
Patches:
I did my comparisons with similar patches from Debian.
* perl-5.8.3-CAN-2004-0452-rmtree.patch: is superseded by the CAN-2005-0448
patch. Is properly commented out in the spec file.
* perl-5.8.3-CAN-2005-0077-perl-DBI-tmpfile.patch: This patch does not
belong with this .srpm package. Instead, it should patch the
perl-DBI .srpm package (in FC1, perl-DBI-1.37-1.src.rpm).
* perl-5.8.3-CAN-2005-0155-0156-perlio.patch: Same as Debian's. Good.
* perl-5.8.3-CAN-2005-0448-rmtree.patch: Looks good. This is major sur-
gery on lib/File/Path.pm, but this seems to be the standard fix. Only
a very slight difference from Deiban's patch, and ours seems fine.
("<" Debian's; ">" ours):
44c44
< @@ -166,111 +157,129 @@
---
> @@ -166,111 +157,133 @@
75c75,79
< + my ($dev, $ino) = lstat $path or return 0;
---
> + my ($dev, $ino) = lstat $path or do {
> + carp "Can't stat $prefix$path ($!)";# unless $!{ENOENT};
> + return 0;
> + };
> +
* perl-5.8.3-cgi.pm.patch: This patch causes some problems. When doing
the build phase (rpmbuild -bc), during the regression tests, one of the
tests of lib/CGI.pm fails (from my build log):
lib/CGI/t/request....................FAILED at test 15
...
Failed 1 test script out of 821, 99.88% okay.
### Since not all tests were successful, you may want to run some of
### them individually and examine any diagnostic messages they
### produce. See the INSTALL document's section on "make test".
The test does not fail on the CGI.pm in my present install of
perl-5.8.3-16.
I created a slightly more instrumented version of request.t, and ran it
according to the INSTALL instructions (both request.t and my_request.t
are enclosed, along with the output of both in tests.tar.gz):
Am attempting to investigate whether or not this patch for perl-5.8.0
is valid for FC1's perl-5.8.3 .... It appears that this patch was sup-
plied by an end-user and was thrown in by Red Hat for the RHEL 3 Linux
product (see Bug #140227), during their fix (RHSA-2005-105). Note
particularly where the the end user notes, "Later issues of perl seem
to have this fixed." (Bug #140227 comment 0).
John, does this test fail on any of your compiles/builds? Isn't the
distro that you use RH 7.3? Does it fail in any other builds of other
distros?
... to be continued ...

Created attachment 119002[details]comment9.tar.gz - patches, comments (see bug 152845 comment 9)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
da39e2723072e29a8e5831210f20591de1ab735c comment9.tar.gz (attached)
* perl-5.8.3-cgi.pm.patch (continued): This patch is unnecessary and
should be removed. The bug that perl-5.8.0-CGI-encoded-path.patch
fixes in perl-5.8.0 appears to already be fixed in existing code in
perl-5.8.3's CGI.pm.
This patch adds a bit of code that essentially duplicates adding
backslashes (or "quoting") certain characters that CGI.pm's existing
use of the internal "quotemeta" Perl function already is doing, so
including this patch breaks the code. For more details, see the file
"About_perl-5.8.3-cgi.pm.patch_.txt" in the CGI.pm/ directory of the
attached tarball.
* perl-5.8.3-tempfile.patch -- This must the the solartmp patch, for
CAN-2004-0976? It compares very favorably with the Debian patch for
insecure tempfiles. It patches quite a bit more than the Debian patch
(mostly documentation). It looks okay, but I have made a couple of
tweaks for that patch file, that changes it to be a little more like
Debian's patch in a few places where it makes sense to do so.
The tweaks are in the attached tarball in directory tempfile/. The
original file is "perl-5.8.3-tempfile.patch.ori", and my tweaked patch
file is "perl-5.8.3-tempfile.patch". For comparison, Debian's patch
is also there, called "09_fix_insecure_tempfiles", gleaned from their
<http://ftp.debian.org/debian/pool/main/p/perl/perl_5.8.4-8.diff.gz>.
* perl.spec -- Enclosed is an update to perl.spec from perl-5.8.3-18.1.
src.rpm:
1) Changed the release to make it perl-5.8.3-17.3.legacy so it will
not conflict with Fedora Core 2's perl
2) Restored the white-space that was in the previous release's,
(perl-5.8.3-16's) specfile.
3) Removed the CAN-2005-0077 patch as it does not apply to this
package.
4) Removed the perl-5.8.3-cgi.pm.patch, as discussed above.
The "perl-5.8.3-16.spec" (from RH's FC1 perl update of March, 2004),
"perl.spec.ori" (from perl-5.8.3-18.1.src.rpm), and "perl.spec" (my
update) can all be found in the specfile/ directory of the tarball.
I've built and installed rpms from the .src.rpm resulting from these
changes, and run a number of perl programs from it, including a .cgi
program, and all seem to work well. Plan to post an updated .src.rpm within
the next day or so.
If you have any thoughts or comments about the changes, please let me know.
Thanks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFDLxZixou1V/j9XZwRAl4hAJ0caE2CgTKek7Ya3UXYUe95a7O9iACgwmcJ
bApwyV+/K3m6EupY/STEROw=
=yD3J
-----END PGP SIGNATURE-----

It seems that Patch1001 could be commented out because it's not applied..
The two patches look good, but I'm still having issues with the solar tmpfile
patch. The first version proposed by John was 30K. Debian has similar
elements, but that's only 10K. It's nontrivial to figure out the rest. Do you
know the source for the solar's patch? Is there something to compare the 30K
patch we're using against?
In the overlapping parts, there are some differences wrt. whether the paths are
included or not compare "my $filename = filt" vs "my $filename = /var/run/filt"
and on ppport.pm. It's not clear how I could determine which one is correct.

I believe I created the solar tmpfile patch starting with the patch from bug
#136325 ("needs backporting") and removed/fixed hunks that didn't apply or were
already applied by the previous solar tmpfile patch.

(In reply to comment #12)
> It seems that Patch1001 could be commented out because it's not applied..
Can do.
> The two patches look good, but I'm still having issues with the solar
> tmpfile patch. The first version proposed by John was 30K. Debian has
> similar elements, but that's only 10K. It's nontrivial to figure out the
> rest. Do you know the source for the solar's patch? Is there something
> to compare the 30K patch we're using against?
I went through the patch file "perl-5.8.3-tempfile.patch" practically line-
by-line, comparing it to both the Debian patch-file for tempfile issues and
assessing the effect of most every patch in it to the original sources. I
agree, at 30,629 bytes, it weighs in pretty big. Also it touches a lot of
perl .pm files, some perhaps unnecessarily.
When I reviewed all of the patches, where the hunks differ from Debian's
usually ends up inconsequential. Why? Because the places it differs from
Debian's is patching *documentation* -- sample code, not real code. A lot
of that 30k of patch-file is changing the POD sections of those pm's -- those
parts that are converted into Perl's man-pages.
> In the overlapping parts, there are some differences wrt. whether the paths
> are included or not compare "my $filename = filt" vs "my $filename =
> /var/run/filt" and on ppport.pm. It's not clear how I could determine which
> one is correct.
I see what you mean, Pekka. Again, most of those places are doc sections.
But I also see the difference in the hunk that patches "perl-5.8.3/ext/Devel/
PPPort/PPPort.pm". Although the solartmp patch may work there, the Debian
patch is no doubt correct and looks better to me. Also many hunks of the
solartmp patch are unnecessary, since all they are patching are docs, and
we're interested in security issues. Making a doc say "$HOME/$file" instead
of "/tmp/$file" is arguably not a security issue per se.
Furthermore one of the hunks, the only patch to CGI.pm,
--- perl-5.8.3.orig/lib/CGI.pm Mon Jan 19 18:46:25 2004
+++ perl-5.8.3/lib/CGI.pm Sun Jan 25 16:45:26 2004
@@ -2,6 +2,9 @@
require 5.004;
use Carp 'croak';
+# XXX: The temporary file handling implemented in here is crap. It should
+# be re-done making use of File::Temp.
+
# See the bottom of this file for the POD documentation. Search for the
# string '=head'.
seems a rather useless patch: even were the added comment demonstrably true,
it's a bit unprofessional. If the patcher thinks the work should be done,
then he should do it rather than adding desultory comments.
The less unnecessary things we patch, the better. Would it be satisfactory
to port the Debian patch to replace the solartmp patch, Pekka? John? Matt?
Marc? Would anyone vote PUBLISH?
Further, if I did this for the FC1 package, would it need to be backported to
all the others?

Oh, now I found the Owl original patch:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/perl/perl-5.8.3-owl-tmp.diff
There was one relevant diff:
[the first is Owl, the second is ours]
< + unlink($TMP, '$SAFEDIR/a.out');
---
> + unlink($TMP, "$SAFEDIR/a.out");
.. though I think ours is correct because '$ENV' doesn't seem to make sense if
the variable isn't expanded..
So, I can give FC1 version posted a PUBLISH. It's not fully clear what else may
be needed. I.e., do we need new packages for other distros or are they good
enough (but just lacking publish) ?

Well, the only major problem that I found in the FC1 version, "perl-5.8.3-
cgi.pm.patch", should not be an issue for the RH7.3 and RH9 versions of Perl.
The RH9 version will probably be okay; but what were you QA'ing in Comment #4,
Pekka?
I'll look at the RH9 and RH7.3 packages hopefully shortly (am concentrating
on Mozilla right now) and do source QA on them.
Do we still need a source rpm package for FC2? My reading of this bugzilla is
that one hasn't been proposed yet.

I think John proposed FC2 package, but it didn't look good. I was looking at
the RPMs that john had proposed in #3, AFAIR.
(btw, I reported the solar tempfile issue with '' vs "" upstream, and they'll
fix their patch.)

That was a good idea, reporting the the tempfile issue regarding the '' quotes
instead of the "" ones upstream. If I recall, this has been fixed upstream
upstream by the Perl maintainers in the most recent Perl versions.
Here's my understanding of the source packages that have been submitted for QA:
Distro Comment # Submitted Package Name
====== ========= ========= ===============================================
RH73 Old Bgzla 2004-12-10 perl-5.6.1-37.0.7.3.legacy.i386.rpm (superseded)
RH73 Comment 3 2005-07-19 perl-5.6.1-38.0.7.3.legacy.src.rpm
RH9 Old Bgzla 2004-12-10 perl-5.8.0-89.0.9.legacy.src.rpm (superseded)
RH9 Comment 3 2005-07-19 perl-5.8.0-90.0.9.legacy.src.rpm
FC1 Old Bgzla 2004-12-10 perl-5.8.3-17.1.legacy.src.rpm (superseded)
FC1 Comment 3 2005-07-19 perl-5.8.3-18.1.legacy.src.rpm (superseded)
FC1 Comment 11 2005-09-21 perl-5.8.3-17.3.legacy.src.rpm (PUBLISH?)
FC2 (Not yet submitted)
==============================================================================
The 5.8.3-18.1 was mistaken for an FC2 package when in fact John submitted it
to be considered as an FC1 package. The confusion was due to the fact that
the FC2 package released by Red Hat is numbered 5.8.3-18. That's why when I
submitted the latest FC1 package, I renumbered it to 5.8.3-17.3. See FC1
changelog in comment 11.
In any event, a FC2 .src.rpm package is needed.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Source QA for the Red Hat 9 .src.rpm from comment 3.
091966a58e7ec33f338dc1cedc361f5329850784 perl-5.8.0-90.0.9.legacy.src.rpm
downloaded from <www.fedoralegacy.org/contrib/perl>.
Sources:
* source tarball perl-5.8.0.tar.bz2 appears pristine.
New Patches:
I did patch comparisons with RHEL 3's perl-5.8.0-89.10.src.rpm from Feb 3,
2005 and also referencing similar (new) patches from the FC1 perl-5.8.3
sources.
* perl-5.8.0-CAN-2004-0452-rmtree.patch: is superseded by the CAN-2005-0448
patch. Is properly commented out in the spec file so it it not applied.
(Although moot, it does match RHEL 3's perl-5.8.0-rmtree.patch.)
* perl-5.8.0-CAN-2005-0077-perl-DBI-tmpfile.patch: This patch does not
belong with this .srpm package. Instead, it should patch the perl-DBI
.srpm package (in RH9, perl-DBI-1.32-5.src.rpm). Though included, it
is not applied, because there is nothing in here to apply it to.
* perl-5.8.0-CAN-2005-0155-0156-perlio.patch: Same as RHEL 3's
perl-5.8.0-bug33990.patch. Looks good.
* perl-5.8.0-CAN-2005-0448-rmtree.patch: Looks good. Compares well with
the similar patch in FC1's srpm, with minor alterations to fit 5.8.0's
source file.
* perl-5.8.0-cgi.pm.patch: This is the same patch as RHEL 3's
perl-5.8.0-CGI-encoded-path.patch. Looks good.
* perl-5.8.0-tempfile-5.8.3-backport.patch: This is a full implementation
of the OWL/Solar temp patch. It includes the same bugs that we have
noted before:
1) Line 732-733 -- Does the unlink($TMP, '$SAFEDIR/a.out'), rather than
the more effective unlink($TMP, "$SAFEDIR/a.out"), that Pekka
noticed in comment 15.
2) Lines 380, 389, and 490- These lines are attempting to replace:
"/tmp/perldbtty$$"
with:
"/var/run/perldbtty$$"
in both perl-5.8.0/lib/perl5db.pl and perl-5.8.0/pod/perlfaq5.pod
In this instance, I agree with Debian's approach, which instead
replaces:
"/tmp/perldbtty$$"
with:
"$ENV{HOME}/.perldbtty$$".
or something similar, both in live code and in documentation.
This is an important change because no users except for root
have access to create or maintain a "/var/run/xxx" file at
all, but all users have permissions to write hidden files to
their own home directory.
* All other old patches and source-files are exactly the same (comparing
to RHEL 3's perl-5.8.0-89.10.src.rpm from Feb 3, 2005), except for a
couple of non-security fixes to the RHEL 3 Perl.
I will attach an updated perl-5.8.0-tempfile-5.8.3-backport.patch in the
next comment that fixes the two issues noted above.
Although everything else is fine, I cannot vote PUBLISH on this package
without these or similar fixes in place.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFDVX7Gxou1V/j9XZwRAm9PAKD1ux64AmU99H1wcqlCZoGKvikFWwCgo6ZE
gSohlCcPHwt7nYnp94WlMvU=
=3rP7
-----END PGP SIGNATURE-----

In comment #15, Pekka, you stated that you can give the FC1 version a
PUBLISH. If we don't need a gpg signature around it, then FC1 has your
PUBLISH vote already. No new packages are needed, AFAICT.
A reckoning of votes needed so this can be officially built to be pushed
to updates-testing:
* RH73 (John Dalbec's from comment #3) needs publish QA. The result of
that QA will determine if the .src.rpm is okay or if it needs something
to be fixed in it or its patches. (Sorry I didn't get around to doing
QA on this awhile back!)
* RH9 (updated in comment #24) needs a publish QA, which I cannot do,
since I submitted the .src.rpm. The update to the OWL/Solar tempfile
patch I submitted in comment #22 is exclusively for the RH9 version
of Perl for (small) errors I noted in comment #21's QA for RH9 Perl.
(Please note all problems I found in comment #21 for RH9 were already
fixed in the FC1 version of Perl.)
* FC1 (updated in comment #11) should be ready to go; it fixes all relevant
CVE's and bugs, and Pekka voted to PUBLISH in comment #15. Yes?
* FC2 (John Dalbec's from comment #25) now needs publish QA.

I took look at RHL9, FC1 and FC2. They're all good, however, PKGS line in RHL9
should IMHO not be changed, and this can be fixed at build time.
RHL73 is also good, except for the tempfile backport patch. I didn't go through
it completely. It seems most stuff that has been left out of RHL73 is on man
pages, but I didn't verify. Could someone else check this?
a273e8ee1cb2002a50e902b80b99717dbb8dead4 perl-5.6.1-38.0.7.3.legacy.src.rpm
0dac664e1c7ee89911a0aba52635481bd13ac9c5 perl-5.8.0-90.0.10.legacy.src.rpm
4cc87b1cc3df776fd4b938ee4ef335a92f3e0c20 perl-5.8.3-17.3.legacy.src.rpm
83d8db018eaab6c58922144773b32f2a7e775813 perl-5.8.3-19.2.legacy.src.rpm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Source QA for the Red Hat Linux 7.3 .src.rpm from comment 3.
a273e8ee1cb2002a50e902b80b99717dbb8dead4 perl-5.6.1-38.0.7.3.legacy.src.rpm
downloaded from <www.fedoralegacy.org/contrib/perl>.
* source tarball perl-5.6.1.tar.gz appears pristine.
* old patches in this .src.rpm are exactly the same as was in the
previously released perl-5.6.1.
* the spec-file looks good.
New Patches:
Pekka's already gone through these pretty thoroughly. He notes in comment
#29, "RHL73 is also good, except for the tempfile backport patch. I didn't
go through it completely. It seems most stuff that has been left out of
RHL73 is on man pages, but I didn't verify."
The combination of the older patch1002 (perl-5.6.1-solartmp.patch) and John's
patch1003 (perl-5.6.1-tempfile-5.8.3-backport.patch) yields approximately the
same OWL/solardesigner patch for CVE-2004-0976 we've seen in the other distros,
which includes stuff for the .pod/.man pages. The only differences occur in
the necessary changes for the backport process: hunks that don't apply
are appropriately removed, and some other hunks take small tweaks to apply.
The tempfile patches look good enough and complete. (With a mild reservation;
see footnote in comment #32.)**
I went through all the new patches anyway. Only 2 of the 6 included new
patches are applied:
>* 1003) perl-5.6.1-tempfile-5.8.3-backport.patch - checked out, OK.
>* 1007) perl-5.6.1-CAN-2005-0448-rmtree.patch - checked out, OK.
The other 4 new patch files:
1004) perl-5.6.1-CAN-2004-0452-rmtree.patch - not used, superseded
by CAN-2005-0448 rmtree patch.
1005) perl-5.6.1-CAN-2005-0077-perl-DBI-tmpfile.patch - not used, patches
a different .src.rpm, shouldn't be here.
1006) perl-5.6.1-CAN-2005-0155-0156-perlio.patch - not used, doesn't apply.
Perl-5.6.1's perlio.c would not appear to be vulnerable to these
issues, as there is no code for debugging in this much older .c file.
1008) perl-5.6.1-cgi.pm.patch - not used, doesn't apply.
These 4 inapplicable patch files could be removed from the spec-file. But,
with the exception of patch1005, it might be good to at least mention them
there in spec-file comments, so future maintainers may know that these
patches were omitted on purpose.
In summary, everything looks ship-shape in these RHL 7.3 sources in
perl-5.6.1-38.0.7.3.legacy.src.rpm.
PUBLISH++ RHL73's perl-5.6.1-38.0.7.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFDm5I+xou1V/j9XZwRAsdWAJ9UM1OFrbf2kG54FiR6wNN2GZRdWgCg4TkB
UAsbAlXHEqZIAIHapiMjVmE=
=A89e
-----END PGP SIGNATURE-----

Created attachment 122107[details]
Possible revised perl-5.6.1-solartmp.patch for RHL73
Footnotes to comment 31:
------------
**
I have a minor nit with the old solartmp patch (perl-5.6.1-
solartmp.patch) from Red Hat: the same nit I had for RH9's perl in
comment 21 in point (2) of the tempfile-backport patch comments
(which I fixed in RH9's and FC1's packages, to be like Debian's
patch). The changes I would suggest would change lines 162, 171,
and 202 of perl-5.6.1-solartmp.patch.
162c162
< +# uses the value of noTTY or "/var/run/perldbtty$$" to find TTY using
---
> +# uses the value of noTTY or "$HOME/.perldbtty$$" to find TTY using
171c171
< + my $rv = $ENV{PERLDB_NOTTY} || "/var/run/perldbtty$$";
---
> + my $rv = $ENV{PERLDB_NOTTY} || "$ENV{HOME}/.perldbtty$$";
202c202
< +startup, or C<"/var/run/perldbtty$$"> otherwise. This file is not
---
> +startup, or C<"~/.perldbtty$$"> otherwise. This file is not
But since everything else is fine, and Red Hat hadn't fixed this
error in a recent patch it put into place for CVE-2004-0976 for FC4
(in perl-5.8.6-CAN-2004-0976.patch, <http://tinyurl.com/87kbv>, re-
maining in <http://tinyurl.com/bxeyj>), I think we can let this go,
for the purposes of getting this package voted PUBLISH to move on.
(I've submitted Bug # 175467 to Red Hat for the FC4 bug.)
Would anyone complain if a revised perl-5.6.1-solartmp.patch file
(attached) were put in place at package build for updates-testing
time? It would have the benefit of making the code pretty well match
upstream perl-5.8.7.

Created attachment 122440[details]
side-by-side diff listing of RH7.3 spec files
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Like John Dalbec, I found on the FL build server that perl in RH7.3 has
problems building in mach, because it tries to run RPM during the build.
My workaround was to take John's suggested workaround from comment 3,
building the file-lists by hand that the rpm query commands in the build
process would have created, then placing those file lists as files in the
.src.rpm as Source11 and Source12.
RH7.3 Perl now builds in mach okay on the build server.
Any critique on this method of building Perl would be appreciated.
Enclosed is a side-by-side difference listing of the previous perl.spec and
the new perl.spec. Also, if you'd like to take a look at the full .src.rpm
with the new spec-file, it is available to look at:
4f3aa62b967726046884fe9f3f33783b2278b9aa perl-5.6.1-38.0.7.3.2.legacy.src.rpm
<http://fedoralegacy.org/contrib/perl/perl-5.6.1-38.0.7.3.2.legacy.src.rpm>
I said that it builds in mach okay. Well, it mostly does. There is one
error that is caught in the regression tests; that error does not cause the
build to fail. It is this:
.
.
.
lib/safe3............FAILED at test 1
.
.
.
Failed 1 test script out of 254, 99.61% okay.
I am not sure what this error is about. Do any of you have any ideas?
Do any of you that have a bona-fide RH7.3 environment (machine or vmware),
can you try building the above .src.rpm and see if that error occurs when
you build it?
In case it helps, the build log from mach on jane (FL's build-server) is also
available:
c3a0a6500b3fdfc182574940dd9e71e55a1e1b0b perl-5.6.1-38.0.7.3.2.legacy.build.log
<http://fedoralegacy.org/contrib/perl/perl-5.6.1-38.0.7.3.2.legacy.build.log>.
Would appreciate any suggestions or thoughts.
I am planning on going ahead and building RH9, FC1 and FC2 on the build
server starting this evening. RH9 will, I think, require similar changes
to build in mach as RH7.3 did.
Thanks! --David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFDp6RTxou1V/j9XZwRAitUAKCWrbAVlkZ+3FYTGcBYUripRjwtxgCg9I0P
ZgYtuP2ZSWOnNZ9JU9xRHcI=
=MYJq
-----END PGP SIGNATURE-----

OK, I've removed byacc and bison from my RHL 7.3 system and I still don't get a
failure. (I guess it could be because I already installed the new Perl
version.) If I can get Mach working I'll see if I can reproduce the error
there. Otherwise, the only meaningful difference I see between the build logs
is the kernel version.

Created attachment 122469[details]
Differences between build logs
I rebuilt the SRPM you provided using Mach 0.4.7 (customized to set
LD_PRELOAD=/usr/lib/libselinux-mach.so in $buildroot/root/.profile and using a
local mach-libselinux package to install libselinux-mach.so in the buildroot)
in a RH7.3 buildroot on a FC3 host. I didn't get the safe3 error. I have
kernel.vdso = 0 in /etc/sysctl.conf on the host. The command I used was LANG=C
nohup mach -d -f -r rh73l rebuild perl*.src.rpm > build.log 2>&1 &. I compared
your "perl*.build.log" to the "rpm.log" file that was generated.

Okay. I've figured it out. The problem is the newness of mach to yours
truly. Sorry 'bout that.
Instead of doing
$ mach -r rh73 rebuild perl-5.6.1-38.0.7.3.3.legacy.src.rpm
yours truly needed to do
$ mach -r rh73u rebuild perl-5.6.1-38.0.7.3.3.legacy.src.rpm
The first form on jane builds packages from the original os distribution
RPMs. The second form builds packages from the most recently updated RPMs.
Just now learned that.
With that, the bug went away. safe3.t passes its test. Oh, and I added
BuildRequires: byacc, since perl builds seem to prefer it if it's available.
Your work and your comments were a great help, John. Thanks!

New vulnerability: CVE-2005-3962: "Integer overflow in the format string
functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers
to overwrite arbitrary memory and possibly execute arbitrary code via format
string specifiers with large values, which causes an integer wrap, as
demonstrated using format string vulnerabilities in Perl applications."
RedHat has issued RHSA-2005:881 (RHEL 3) and RHSA-2005:880 (RHEL 4) and also
updates for FC3 and FC4 for this new issue.
This is also mentioned in the FL thread starting at:
<http://www.redhat.com/archives/fedora-legacy-list/2005-December/msg00010.html>
and ending with
<http://www.redhat.com/archives/fedora-legacy-list/2005-December/msg00065.html>.
RHL 9, FC1, FC2 are affected, but RH7.3 isn't by this new issue.
Do we
(1) Open a new bugzilla for this issue?
(2) Tackle this new issue here?
I lean towards opening a new bug....

Created attachment 122692[details]
Proposed text of Test Update Notification for this issue
Have built packages to be pushed to updates-testing. They yet
need to be signed.
Enclosed is a proposed text for the Test Update Notification when
these packages are signed and pushed to updates-testing. Please
let me know if you see any errors or omissions. Thanks. -David